NSA and CISA Issue New Guidance on DNS
Implementing Protective DNS could help your organization avoid attack…
An article review.
Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS).
The guidance, released in a cybersecurity information sheet by the NSA and CISA, gives a brief explanation of DNS and the risks associated with it: as DNS was not designed with “bad actors” in mind, there are a number of ways attackers can use it to facilitate an exploit. Furthermore, while there have been security enhancements to DNS (including DNS Security Extensions), these enhancements may not protect against upstream attacks such as a maliciously provisioned DNS server.
By utilizing PDNS, the NSA and CISA say organizations can check DNS queries against current threat intelligence reports and block the resolution of domains known to be associated with malicious activity. Additionally, PDNS can implement additional DNS security enhancements such as DNS over HTTPS (DoH) and DNS over Transport Layer Security (DoT).
While PDNS is not foolproof (as an IP address can be entered directly, avoiding the use of DNS entirely), the NSA and CISA now recommend it be implemented as part of a “defense in depth” strategy consisting of multiple layers of security. To that end the guidance offers a comparison of six leading industry PDNS services, though they also note that the inclusion of those services in the guidance does not constitute an endorsement by either agency.
Original article by Security Magazine.